A new quantum-safe multivariate polynomial public key digital signature algorithm

We propose a new quantum-safe digital signature algorithm called Multivariate Polynomial Public Key Digital Signature (MPPK/DS). The core of the algorithm is based on the modular arithmetic property that for a given element g, greater than equal to two, in a prime Galois field GF(p) and two multivariate polynomials P and Q, if P is equal to Q modulo p-1, then g to the power of P is equal to g to the power of Q modulo p. MPPK/DS is designed to withstand the key-only, chosen-message, and known-message attacks. Most importantly, making secret the element g disfavors quantum computers’ capability to solve the discrete logarithm problem. The security of the MPPK/DS algorithm stems from choosing a prime p associated with the field GF(p), such that p is a sum of a product of an odd prime number q multiplied with a power x of two and one. Given such a choice of a prime, choosing even coefficients of the publicly available polynomials makes it hard to find any private information modulo p-1. Moreover, it makes it exponentially hard to lift the solutions found modulo q to the ring of integers modulo p-1 by properly arranging x and q. However, finding private information modulo the components q and power x of two is an NP-hard problem since it involves solving multivariate equations over the chosen finite field. The time complexity of searching a private key from a public key or signatures is exponential over GF(p). The time complexity of perpetrating a spoofing attack is also exponential for a field GF(p). MPPK/DS can achieve all three NIST security levels with optimized choices of multivariate polynomials and the generalized safe prime p.

www.nature.com/scientificreports/ transformation. MQDSS falls under this category. They showed that forging a signature for the 128-bit security level version of MQDSS can be done in 2 95 operations. To avoid the attack, new parameters were proposed that make the scheme significantly worse in performance 15 . That caused the elimination of the MQDSS method from the standardization project. The GeMSS scheme did not have any serious security concerns in Round two. One of the significant drawbacks of the system is enormous public keys, difficulty implementing the algorithm on low-end devices, and slow signing times 19 . The security of the GeMSS scheme relies on HFE construction. Ding et al. studied the security of the HFE cryptosystem 34 . They presented a new algebraic method to attack the HFEv cryptosystem, using the algebraic structure of HFEv. The idea of the attack is to view the new vinegar variables as an external perturbation and to try to separate them, which can be done efficiently for small parameters D + r . However, the complexity of the attack is exponential in the small parameter r. Overall, the GeMSS scheme is considered secure and is a NIST round-three finalist in the alternative digital signature scheme category. We now shift the attention to the DLP. The DLP is the core mathematical problem underlying many widely used cryptosystems such as Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH). It is, however, as we pointed out, not secure against attacks using quantum devices 4 . In our digital signature scheme, we use in part a construction similar to the one of DH. However, we do not share the base with the verifier, nor do we share the exponent. Nevertheless, we feel that it is worthwhile investigating any advances related to DLP.
Using Pollard's rho algorithm one might solve DLP in a cyclic group of size q with computational complexity of O( √ q) 35 . Assuming DLP in a group GF(n), where n = uv , if one knows u and v, one might reduce DLP to a smaller DLP using the Chinese Remainder Theorem and Pohlig-Hellman algorithm. Then it is possible to solve the reduced problem with O( √ q) modular multiplications 36 . Boudot et al. set two new records: factorize RSA-240, 795-bit number, and compute a discrete logarithm over a 795-bit prime field. They used the same system to set both records, thus showing that the difficulty of computing discrete logarithm is comparable to the problem of factorization of the same bit size 37 . Granger et al. computed a discrete logarithm in the finite field GF(2 30750 ) using the elimination step of the Granger, Kleinjung, and Zumbrägel's algorithm 38 recursively. Corrigan-Gibbs and Kogan studied algorithms to solve DLP that utilizes pre-processing 39 . They showed that any generic discrete logarithm algorithm with pre-processed S-bit "advice" string runs in online time T and succeeds with probability ǫ if ST 2 = �(ǫN), where N is the order of the underlying group. They also demonstrated two new generic pre-processing attacks: one for the multiple-discretelog problem and certain decisional-type problems in groups. Hong et al. proposed a fuzzy Hellman algorithm that solves DLP using a one-time pre-computation process 36 . Given the pre-computation cost and online efficiency, this algorithm performs better than other known algorithms. Bellare introduced the Multi-Base Discrete Logarithm 40 that fills a gap exhibited by all known standard proofs 41,42 of the security of Schnorr's identification and signatures algorithms 43 . Teseleanu produced the first l out of n threshold kleptographic attack on discrete logarithm-based digital signatures by combining the notions of threshold scheme and kleptographic attack 44 .
Recently, Abdullah et al. presented a new way to solve the elliptic curve DLP, using initial minors 45 . Practical implementation showed that the attack could be performed for groups of orders up to 2 50 .
Roetteler et al. gave a precise estimate of quantum resources needed to compute discrete logarithm on elliptic curves over prime fields using Shor's algorithm 46 . They showed that it takes at most 9n + 2⌈log 2 (n)⌉ + 10 qubits to compute discrete logarithm on an elliptic curve defined over n-bit prime field, using a quantum circuit of at most 448n 3 log 2 (n) + 4090n 3 Toffoli gates. This result supports the one presented earlier by Proos and Zalka 47 and suggests that the number of qubits required to break Elliptic Curve Cryptography (ECC) is less than the number needed to break RSA. Ekerå bridged their work with Shor's work on computing discrete logarithms as well as Seifret's work on computing orders with trade-offs to give an algorithm that computes discrete logarithms without any knowledge of the group order 48 . Moreover, compared to Shor's algorithm, their algorithm has a factor of two fewer group operations evaluated quantumly in each run, at the expense of multiple runs.
In addition to PQC digital signature schemes, another promising idea using quantum systems to create digital signatures has emerged, called Quantum Digital Signature (QDS). The QDS was first proposed by Gottesman and Chuang 49 , signing classical bits with qubits. QDS offers information-theoretic security of signatures guaranteed by the laws of quantum mechanics. Lü and Feng proposed their QDS based on quantum one-way functions 50 , a novel arbitrated quantum digital signature scheme to sign general quantum states. Clarke et al. experimentally demonstrated QDS using phase-encoded coherent states 51 . Wallen et al. presented their QDS with QKD components and offered their security proof 52 . Hong et al. presented their QDS in a network with a signer, multiple verifiers, and a trusted center, a quantum counterpart of the classical PKI 53 . Single-bit QDS was first extended to multi-bit QDS by Wang et al. 54 and further by Wang and Wang in 2019 with a more efficient protocol 55 . Inspired by the measurement-device-independent continuous-variable scheme in QKD, Zhao et al. first proposed their Continuous-Variable QDS (CV-QDS) in 2021 for both single-bit and multi-bit schemes 56 . They later improved CV-QDS to remove the loopholes of the practical detectors and eliminate all side-channel attacks 57 .
To visualize the various approaches and differences between the described digital signature schemes, we provide the Table 1. There are two groups of rows: classical data and quantum data. The first column lists classical techniques applicable to classical data. The second group of columns summarizes quantum techniques applicable to classical or quantum data. In the classical data case, we provide the name of the primitive, basis, known most effective attack, and whether it is considered for the NIST third round. In the quantum data case, we provide the name of two applicable techniques.

MPPK digital signature and verification
MPPK/DS is a digital signature and verification scheme that uses public keys. We formally define the concept of a digital signature and verification using public keys, consistently with other authors 58,59 .
1. A chosen generalized safe prime p = 2 x q + 1 that determines the index of a finite field defining the domain of all coefficients and variables. Note that its Euler's totient ϕ(p) is equal to p − 1 , or 2 x q. 2. Positive integers m, n, and , that respectively specify the number of noise variables, the degree of a base polynomial, defined in the Eq. (1), and the degree of two univariate polynomials, defined in the Eq. (3). 3. The positive integers ℓ 1 , . . . , ℓ m that determine the degrees of noise variables in the base polynomial, as defined in Eq. (2).
The signer and verifier agree on the actual values of the security parameters upon establishing communication.
Note that the set GF(p), or Z/pZ . denotes the integers modulo p. Let GF(p) be the domain of variables x 0 , x 1 , . . . , x m . Variable x 0 denotes a message or the hashed value of a message. Variables x 1 , . . . , x m ≥ 1 represent noise. We also refer to the set GF(ϕ(p)) , or Z/ϕ(p)Z , the integers modulo ϕ(p).
With all arithmetic done modulo ϕ(p) , the following mathematical objects are created by the signer:

A multivariate base polynomial of the form
The constants l 1 , . . . , l m are positive integers. The coefficients c ij 1 ...j m are randomly selected from GF(ϕ(p)) . Written with respect to the variable x 0 , Eq. (1) is a polynomial of the form 2. Two univariate polynomials of the form The coefficients f i and h i are randomly selected from GF(ϕ(p)). 3. Using the base polynomial and two univariate polynomials, two product polynomials are created Polynomial φ(x 0 , x 1 , . . . , x m ) can also be written in the form (similarly for ψ(x 0 , x 1 , . . . , x m ) ) ( for randomly selected e φ i , e ψ i ∈ GF(ϕ(p)). 5. Two even random integers R 0 , R n in GF(ϕ(p)). 6. Using the integers R 0 , R n , two noise functions are created where β 0 (x 1 , . . . , x m ) and β n (x 1 , . . . , x m ) are as defined in the Eq. (2). 7. Let �(x 0 , x 1 , . . . , x m ) be the polynomial φ(x 0 , x 1 , . . . , x m ) without the highest order term and the constant term with respect to the variable x 0 , namely where the coefficients φ k (x 1 , . . . , x m ) are as defined in the Eq. (5), ignoring the constant term and highest order term with respect to the variable x 0 . Such polynomial is created. Similarly, polynomial is created. 8. Using E φ (x 0 ) , E ψ (x 0 ) , R 0 , R n , �(x 0 , x 1 , . . . , x m ) , and �(x 0 , x 1 , . . . , x m ) two polynomials are created. The private key s consists of the following items: 1. The two univariate polynomials f (x 0 ) and h(x 0 ). 2. The values of the two even noise constants R 0 and R n .
Signing algorithm. Let µ be a message, or the hash of a message. Let g ∈ GF(p) , with g ≥ 2 , be a randomly selected base. All arithmetic is done modulo ϕ(p) , unless specified otherwise. Using the signer's private key s, the signing algorithm consists of computing the following items: www.nature.com/scientificreports/ The digital signature is the quintuple (A, B, C, D, E). The signing algorithm yields S s (µ) = (µ, (A, B, C, D, E)) . The components A, B, C, D and E are required to be not equal to 0 or 1. If any of A, B, C, D and E is 1, a new random base g is chosen and a new quintuple (A, B, C, D, E) is created. The signer sends the pair ((µ, (A, B, C, D, E)) to the verifier.
Signature verifying algorithm. All arithmetic is done modulo ϕ(p) , unless specified otherwise. Upon receiving a message (or the hash of a message) µ and a corresponding signature (A, B, C, D, E) from a signer, the verifier applies the signature verifying algorithm using the signer's public key v. Using µ for x 0 and randomly chosen positive values r 1 , . . . , r m ∈ GF(ϕ(p)) for the noise variables x 1 , . . . , x m , the verifier evaluates the two public polynomials and the noise functions When AQ is equal to BPCN 0 DN n E mod p , the signature verifying algorithm V v (µ) returns (µ, VALID) , otherwise it yields (µ, INVALID).
Note that there are multiple choices for the random variables x 1 , . . . , x m . They all produce various values for P , Q , N n , and N 0 . Thus, MPPK/DS falls into the category of non deterministic digital signature algorithms in the sense that verifying the same valid signature several times with different values of the polynomial resolves in equalities. Proof It follows from the modular arithmetic property: if a ≡ b mod ϕ(p), then g a = g b mod p, where g and p are co-prime numbers. Note, that polynomial R 0 R n φ(x 0 , x 1 , . . . , x m ) can be expressed as and polynomial R 0 R n ψ(x 0 , x 1 , . . . , x m ) can be expressed as Multiplying polynomial φ(x 0 , x 1 , . . . , x m ) by R 0 R n h(x 0 ) , and ψ(x 0 , x 1 , . . . , x m ) by R 0 R n f (x 0 ) yields the following equality.
Using Eqs. (12) and (13), Eq. (14) can be expanded as This expression can be rewritten as

Security analysis
We discuss attack models on digital signature algorithms. There are three attack types: chosen-message, knownmessage, and key-only. There are two sub-categories in the chosen-message attack: direct-chosen and genericchosen, depending on whether the adversary knows the public key. If the adversary knows the public key, then the direct-chosen method can replace a message signed by the signer with a message the adversary wants but with the signer's signature. If the adversary does not know the public key, then the generic-chosen method can trick the signer into digitally signing a message that it does not intend to sign. In the known message attack, the adversary obtains old messages and signatures. It tries to forge signatures for messages that the signer does not intend to sign. It uses brute force to analyze old data to recreate the signer's signature. This attack is analogous to g aQ = g bP g cN 0 g dN n g e mod p or AQ = BPCN 0 DN n E mod p. www.nature.com/scientificreports/ the known-plaintext attack on encryption. The signer's public key is assumed to be available to everyone in the key-only attack. The adversary uses this fact and tries to recreate the signer's signature and digitally sign messages that the signer does not intend to do. This causes a significant threat to the authentication of messages, which is non-repudiated as the signer cannot deny signing it. A digital signature using RSA 1 , without hashing messages, is vulnerable to the known-message and chosenmessage attacks. This is due to its multiplicative property where a product of messages leads to a product of their signatures. Once an attacker knows the public key, then the signer is requested to sign a public key encrypted message y. The returning signature x forms a message-signature pair of x and y called a key-only attack. Therefore, the RSA digital signature must be used with a cryptographic hash function. The ElGamal digital signature 60 and Digital Signature Algorithm (DSA) 10 , based on the DLP, also require the use of a cryptographic message hash function to prevent existential forgery.
These digital signature attacks are not applicable to MPPK/DS. Unlike the RSA signature scheme, MPPK/DS is not a one-way trap door type of digital signature, with decryption for signing and encryption for verification. It is also not a DLP-type signature scheme like DSA, with a public generator as modulo arithmetic exponentiation base. Most importantly, it does not use a secret message directly as the exponent in the modulo arithmetic exponentiation to calculate the signature. It uses polynomials evaluated at the message in the exponent for modulo arithmetic exponentiation. Therefore, MPPK/DS is not vulnerable to the above signature attacks. Furthermore, techniques for solving the DLP, such as the ones using the Shor's quantum algorithm, are not directly applicable.
Cracking MPPK/DS boils down to producing a signature for a fake message that passes verification. In other words, it requires a universal or selective forgery of signatures. To achieve that, adversaries must crack public keys or signatures to obtain private keys or directly brute force the values A, B, C, D, and E consistently with the verification relationship. In the remainder of this section, we analyze the security of MPPK/DS. We examine possible approaches a malicious party could take to obtain the private key from a public key and a signature. We also discuss digital signature spoofing vulnerabilities. We start by considering whether it is possible to obtain any components of the private key from the published coefficients of polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ). Note that all the calculations involving private and public keys are performed modulo ϕ(p) = p − 1 = 2 x q. Recall, that every term of the coefficients of the public polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) contains R 0 and R n respectively. Since both R 0 and R n are not co-prime with ϕ(p) , it is not possible for a malicious party to solve the system of equations generated by the coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) correctly in the ring Z/ϕ(p)Z. That is because it is impossible to divide by the terms containing R 0 and R n in the ring Z/ϕ(p)Z. However, q and 2 x are co-prime, so the ring of integers Z/ϕ(p)Z ∼ = Z/qZ × Z/2 x Z. Hence, calculations to obtain private keys from public keys can essentially be performed modulo q and 2 x , and then lifted to modulo ϕ(p) = 2 x q. Notice, that since R 0 and R n are even it is not possible to gain any information modulo 2 x . Hence, the attacker is reduced to solving the system of equations modulo q, and lifting the solutions to the ring Z/ϕ(p)Z in order to find the actual solution.
Since it is not possible to fully solve the system of equations generated by the coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) modulo ϕ(p) or 2 x , since R 0 and R n are even, we turn our attention to the ring Z/qZ . We first discuss two ways of considering the publicly available coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) modulo q. One way is to consider the coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) that are not associated with the pure x 0 term, namely p kj 1 j 2 ...j m and q kj 1 j 2 ...j m for all k ∈ {1, . . . , n + − 1} and j 1 j 2 . . . j m = 00 . . . 0. Solving this system of equations does not give the attacker any information about the signature component E. The other way for a malicious party to find private keys from public keys is to consider all of the shared coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) including coefficients p k00...0 = k=t+s f t c s00...0 − e φ k and q k00...0 = k=t+s h t c s00...0 − e ψ k respectively for all k ∈ {1, . . . , n + − 1}. The latter approach involves systems of equations with more variables and equations. Note also that the term E can be derived from A, B, C, and D as We start by considering the first approach, namely the one without coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) associated with pure x 0 terms modulo q. Note that similar to MPPK KEM 5 , we can set the public key parameters in such a way that the attacker is faced with an underdetermined systems of equations when considering the shared coefficients of the polynomial P(x 0 , x 1 , . . . , x m ) separately from the shared coefficients of the polynomial Q(x 0 , x 1 , . . . , x m ).
m be the base polynomial. Publicly available coefficients of P(x 0 , x 1 , . . . , x m ) , without pure x 0 terms, form an underdetermined system of equations, when The same holds true for the coefficients of Q(x 0 , x 1 , . . . , x m ) considered independently without the pure x 0 terms.
Publicly available coefficients of P(x 0 , x 1 , . . . , x m ) or Q(x 0 , x 1 , . . . , x m ) considered independently, and without pure x 0 terms, form a system of k for any desired j k . Then publicly available coefficients of P(x 0 , x 1 , . . . , x m ) , without pure x 0 terms, form an underdetermined system of equations, when ( − 2)(J − 1) < + 2 . The same holds true for publicly available coefficients of Q(x 0 , x 1 , . . . , x m ) considered independently without the pure x 0 terms.
k for any desired j k . In this case, the coefficients of the polynomial P(x 0 , x 1 , . . . , x m ) or Q(x 0 , x 1 , . . . , x m ) without pure x 0 terms considered independently from one another form a system of Then, the number of variables (n + 1)(J − 1) + + 2 is greater than the number of equations (n + − 1)(J − 1).

Proposition 4.3 When the coefficients of
, without the pure x 0 terms, are examined together they form an overdetermined system of equations.
Proof Let the base polynomial be as defined in the Corollary 4.2. Considering two public polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) together yields a system of Equivalently, if the base polynomial is defined as in the Proposition 4.1, then considering P(x 0 , x 1 , . . . , x m ) together with Q(x 0 , x 1 , . . . , x m ) yields a system of We now consider the second approach, namely the one that includes coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) associated with pure x 0 term modulo q.

Proposition 4.4 Let the base polynomial be
The shared coefficients of the polynomial P(x 0 , x 1 , . . . , x m ) , including the pure x 0 terms, considered separately from the shared coefficients of the polynomial Q(x 0 , x 1 , . . . , x m ) , and vice versa, produce an underdetermined system of equations.

Corollary 4.5 Let the base polynomial be defined as
for any desired j k . Let ( − 2)J < n + 2 + 1 . The shared coefficients of the polynomial P(x 0 , x 1 , . . . , x m ) , including the pure x 0 terms, considered separately from the shared coefficients of the polynomial Q(x 0 , x 1 , . . . , x m ) , and vice versa, produce an underdetermined system of equations. www.nature.com/scientificreports/ Proof Let the base polynomial be β(x 0 , x 1 , . . . , x m ) = n i=0 J j=1 c ij X j x i 0 , where X j = k x j k k for any desired k and j k . Considering all the public coefficients of P(x 0 , x 1 , . . . , x m ) or Q(x 0 , x 1 , . . . , x m ) separately produces a system of Let ( − 2)J < n + 2 + 1 . Then such system is underdetermined.

Proposition 4.6
If the publicly available coefficients of the polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) are considered together, they can produce an overdetermined or an underdetermined system of equations, depending on the parameters n, , m, and l k for each k ∈ {1, . . . , m}.
Proof Let the base polynomial be as in the Proposition 4.1. Considering the coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) together, they will produce a systems of Then if = 3, n = 2, and m k=1 (l k + 1) = 5 , the system of equations produces by the coefficients of On the other hand, if n = 2, = 2, and m k=1 (l k + 1) = 3 , such system is underdetermined. Equivalently, if the base polynomial is defined as in the Proposition 4.2, then public polynomials considered together result in the system of Such system is overdetermined if = 3, n = 2, and J = 5 , and underdetermined when n = 2, = 2, and J = 3.
We claim that one possible way for the attacker to solve the systems of equations produced by the coefficients of the shared polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) , regardless of whether it is underdetermined or overdetermined, is to solve the system modulo q first, then lift the solutions to the ring Z/ϕ(p)Z. For instance, assume that the attacker can solve the system of equations produced by the polynomial P(x 0 , x 1 , . . . , x m ) in the ring Z/qZ to find f 0 . This result considered modulo ϕ(p) is not a single value, but rather an entire equivalence class or equivalently a list of values of the form f 0 + iq less than ϕ(p) for positive integers i. Such a list consists of 2 x values. One of the list values is the correct solution modulo ϕ(p). One way to deterministically conclude whether the value is correct is to solve the same system of equations in the ring Z/2 x Z . Similarly, consider the equivalence class generated by the solution f 0 modulo 2 x to lift it to the ring Z/ϕ(p)Z . The correct value modulo ϕ(p) is an element present in both equivalence classes or lists. On its own, this problem depends on the size of the lists, or equivalently the number of elements of the equivalence classes less than ϕ(p) . Note, however, that the attacker is unable to fully solve the system of equations modulo 2 x , since R 0 and R n are even numbers, thus it is impossible to find an inverse of R 0 or R n in the ring Z/2 x Z . So the attacker is reduced to only solving the system of equations in the field Z/qZ , and then trying to lift the solution to the ring Z/ϕ(p)Z using another way. The complexity of solving underdetermined systems of m equations in n unknowns over a field F q is The complexity of solving an overdetermined system of equations modulo q is O q n 2.718k log q n , where n is the number of variables, and k is the highest degree of the polynomials 61 . Note that the results found modulo q are not deterministic, since the lifting step adds uncertainty to the solution. One way to successfully lift the solutions modulo q to modulo ϕ(p) is to recreate the terms of the form p kj 1 j 2 ...j m and q kj 1 j 2 ...j m , where p kj 1 j 2 ...j m and q kj 1 j 2 ...j m are coefficients of the polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) respectively using the elements in the equivalence classes of the solutions found modulo q. Classical complexity where v is the number of unknowns, and c is an integer that depends on n, and . Quantum complexity is O 2c n+1 +1 2 xv due to Grover's algorithm. Depending on if the attacker is including the pure x 0 terms, v and c will vary.
Thus, as with MPPK KEM 5 , the malicious party chooses whether to take advantage of the shared coefficients and solve an overdetermined system of equations or consider an underdetermined system of equations and use the solution to such system to solve another set of equations. Let p kj 1 ...j m be the shared coefficient of the polyno-

Claim 4.7
There exists a way to attack the publicly available coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) modulo q, and then lift the solution to the ring Z/ϕ(p)Z. This attack has classical complexity of (n + − 1)J equations in [(n + 1)J] + n + 2 + 1 variables. are found, they can be directly substituted in the system of equation generated by the publicly available terms q k11...1 of Q(x 0 , x 1 , . . . , x m ) to solve for h ′ t = R n h t for all t ∈ {0, 1, . . . , } . Suppose that R n is known, then it is a simple calculation to find h t for all t ∈ {0, . . . , }. Note that the attacker can divide coefficients of N n by the coefficients of the base polynomial to derive R n . Then the attacker can construct signature components A, B, C, and D once they lift the solutions to the ring Z/ϕ(p)Z . The malicious party can use values A, B, C and D to derive E since E = A Q B −P C −N 0 D −N n . So in order to find all the private information modulo q necessary to forge a signature one needs to brute force search R 0 and f t for all t ∈ {0, . . . , } . The complexity of this part of the approach is O q +2 using classical system and O q +2 using a quantum system. Note however, that to find the original value modulo ϕ(p) , the attacker needs to lift the solutions modulo q to modulo ϕ(p) . The attacker knows actual shared values of the coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) . Thus, the attacker can try to recreate these coefficients using elements of the equivalence classes or lists generated by the solutions modulo q to find a match between the actual value and the one recreated by the attacker. The classical complexity of the lifting method is O 2 n+1 +2 2 x( +2) . Using Grover's algorithm, quantum complexity of the lifting method is O 2 n+1 +2 2 x( +2) .
Overall, the classical complexity of this attack is O q +2 2 n+1 +2 2 x( +2) and the quantum complexity of It is worth mentioning, that in the case of digital signatures, there exists a way to simplify some of the equations produced by the coefficients of P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) . Let p ij 1 ...j m be a coefficient of the polynomial P(x 0 , x 1 , . . . , x m ) associated with the term Since the coefficients of the noise function N 0 (x 1 , . . . , x m ) are components of the terms p lj 1 j 2 ...j m for l ∈ {1, . . . , } and j k ; k ∈ {1, 2, . . . , m} , their values can be directly substituted in these expressions. Similar calculations can be done for the coefficients of N n (x 0 , x 1 , . . . , x n ) and terms q kj 1 j 2 ...j m for j l ; l ∈ {1, 2, . . . , m}, and k ∈ {n, n + 1, . . . , n + − 1}. Such advantage does not effect the solution modulo ϕ(p) , since R 0 and R n are not co-prime to ϕ(p), however these substitutions do benefit the attacker working in the ring Z/qZ by providing unique solution modulo q. Lifting the solutions up to the ring Z/ϕ(p)Z has complexity O(2c(2 xv )), where v is the number of unknowns and c is some constant that depends on and n.
Another attack on the public keys is described in the Kuang's et al. 's MPPK KEM paper. It leverages the fact that the malicious party can produce as many noise functions N 0 and N n as they want, and solve the system produced by the noise variables to retrieve private information. However, similarly to MPPK KEM, if the malicious party generated a set of equations of the form N 0 (x 0 , x ′ 1 , . . . , x ′ m ) =N 0 aiming to find R 0 or the coefficients of the form c 0j 1 ...j m , they are unable to succeed. In the MPPK/DS case the inability to carry out this attack comes from the incapacity to divide by R 0 , since R 0 is not co-prime to ϕ(p) . The same holds true for equations of the form N n = N n (x 0 , x ′ 1 , . . . , x ′ m ) , and R n not co-prime with ϕ(p). If the attacker considers these equations modulo q, they have the same issue as we described in Kuang et al.'s paper 5 , namely the system will produce all zero results. are not co-prime with ϕ(p) . This makes the MPPK/DS algorithm more secure in the sense that it is not possible to obtain explicit relationships between the components of the private key. We now describe another attack on the public key carried out in the ring GF(ϕ(p)) . Considering only the public key, one strategy for the attack in the ring Z/ϕ(p)Z is to brute force search for the terms R 0 , R n , f t , and h t for all t ∈ {0, . . . , } in the ring Z/ϕ(p)Z . The complexity of this search is O([(ϕ(p)) 2 +2 ][ϕ(p) − ϕ(p − 1)] 2 ) using classical device and O([ (ϕ(p)) 2 +2 ][ϕ(p) − ϕ(p − 1)]) using a quantum system. Given the values for R 0 , R n , f t , and h t for all t ∈ {0, . . . , } , the attacker can produce the signature components A, B, C, and D for any hashed message x 0 . The malicious party can use values A, B, C and D to derive E since E = A Q B −P C −N 0 D −N n , thus, fully forge the signature.
However, the next attack on the public key in the ring Z/ϕ(p)Z is far more efficient.
Then the variables f ′ t can be found using Equivalent calculations can be done for the variables h ′ t = R n h t for all t ∈ {0, 1, . . . , }. The attacker can first verify if the coefficients c i11...1 found using brute force search are correct. For that, the attacker can check if all f ′ t s are zero for t > . If the condition is met, then verify if all h ′ t s are zero for t > . Then we have a candidate list of f ′ t , h ′ t , and c i11...1 for i ∈ {0, 1, . . . , n} . If the list only contains a single set of those coefficients, we then find the right coefficients. Having this information, the attacker can create signature components A and B. In order to create C and D, the attacker needs to find f i and h i for all i ∈ {0, ..., λ}. The most efficient way to do that would be to find it modulo q and then lift it to the ring Z/ϕ(p)Z. The attacker knows R 0 f 0 , c 111...11 and N 0 modulo q, these values can be used to find f i modulo q for all i ∈ {0, ..., λ}. Similar calculations are done for the values h 0 , ..., h λ in the field GF(q). The adversary then needs to lift these values to the ring Z/φ(p)Z. Classical complexity of this part is O (2 x( +1) ) because the adversary needs to test that the lifting is successful by confirming that .., λ}. Same is true for values of h 0 , ..., h λ . Using Grover's algorithm implemented on a quantum device, the complexity becomes O(2 × √ 2 x( +1) ) for all 2(λ+1) values. Now the attacker is lacking only the signature component E, which he can get through A, B, C, D since E = A Q B −P C −N 0 D −N n . Hence, the overall complexity of this attack is O([ϕ(p)] n+1 + 2 × 2 x( +1) ) using classical system and O( [ϕ(p)] n+1 + 2 × √ 2 x( +1) ) using quantum system.
Security of the private key given the signature. As mentioned in "Key generation algorithm", neither the base g nor the exponents R 0 f (x 0 ), R n h(x 0 ), s 0 (x 0 ), s n (x 0 ) or t(x 0 ) are known to anyone but the signing party. The signer simply shares the signature A, B, C, D and E. We now examine whether there are relationships between the signature components that a malicious party can exploit.   Proof Recall, that A = g R 0 f (x 0 ) and B = g R n h(x 0 ) , where R 0 f (x 0 ), R n h(x 0 ) are calculated modulo ϕ(p) = 2 x q . If we consider the definition of a logarithm as log A B is a constant t, such that A t = B mod p, it is apparent that t = h(x 0 )R n f (x 0 )R 0 . However, the element 1 R 0 does not exist modulo ϕ(p) , since R 0 is not co-prime with ϕ(p). Thus, such value t cannot be computed modulo ϕ(p). Similarly, log B A = f (x 0 )R 0 h(x 0 )R n but 1 R n does not exist in the ring Z/ϕ(p)Z . Hence, there is no explicit way to express A and B in terms of each other in the ring Z/ϕ(p)Z.
These values exist, however, modulo q. The attacker might be able to calculate them to find a ratio of the form h(x 0 )R n f (x 0 )R 0 modulo q. It will not be possible, however, to correctly lift this value to the ring Z/ϕ(p)Z since the solution modulo 2 x does not exist. However, if we consider the signature together with the public key there is a way to find public key, and as a result, forge the signature. We discuss this approach later, towards the end of the section. Moreover, if the adversary uses Shor's algorithm to solve for a discrete logarithm, he will run into a problem. Indeed, let ḡ be a generator of a multiplicative group (Z/pZ) × , then where none of the terms g, R 0 , or f (x 0 ) are known. Therefore, given the numerical value of logḡ A it is not be possible to conclude anything about the private key. Similarly, where R n , h(x 0 ), and g are unknown. Thus, taking discrete logarithms of values A and B does not yield any explicit information modulo ϕ(p). Considering these logarithms modulo q, is the same as log B A since log B A = logḡ A logḡ B .

Proof Consider
The expression R n R 0 does not exist mod ϕ(p) . So it is not be possible to express C in terms of A and B modulo ϕ(p) . Similarly, D could be written as but R 0 R n does not exist mod ϕ(p) . Taking discrete logarithm does not yield any meaningful information either since where f 0 , h 0 are unknown, and R n R 0 does not exist modulo ϕ(p). For the same reasons logḡ D does not offer any meaningful information.
On the other hand, note that the expression where multiplication by R 0 is purely symbolic, can exist modulo ϕ(p) . Then one might suggest to create a system of such equations for different values of A, B, and C in order to find R 0 , R n , h 0 , and f 0 . Note, however, that it is not possible to solve such system as it will not be possible to express one variable in terms of the other. Indeed, expressing f 0 or h 0 in terms of R n or R 0 requires dividing by R 0 and R n respectively. Expressing R 0 and R n in terms of other values requires dividing by logḡ B or logḡ A , however, both of these values are a multiple of R n and R 0 respectively, thus, not co-prime to ϕ(p). So approaching the problem this way does not provide a solution to the attacker. Similar argument can be made for R n logḡ D = R n f logḡ B − R 0 h logḡ A.
Nevertheless, these expressions can be considered modulo q, but it is exponentially hard to lift the solution to Z/ϕ(p)Z . Note that systems of equations with polynomials such as R 0 logḡ C = R 0 f 0 logḡ B − R n h 0 logḡ A considered modulo q will yield R 0 , R n , f 0 , h 0 . Considering system of equations that consists of polynomials of the form R n logḡ D = R n f logḡ B − R 0 h logḡ A, yields R 0 , R n , f , and h modulo q. Let = 3 . One way to determine which elements of the equivalence classes of R 0 , R n , f 0 , f , h 0 , and h are the actual solutions in Z/ϕ(p)Z , is to use brute force search to find coefficients c 011. ..1 , c 111...1 , c 211...1 , c 311...1 and f 1 , f 2 , h 1 , h 2   Taking logarithm with respect to some generator ḡ ∈ Z/pZ yields It is natural to consider a system of such equations for every new x 0 , A, B and E; however, the unknowns E φ (x 0 ) and E ψ (x 0 ) change with every new choice of x 0 so the system regardless of the number of polynomials is always underdetermined. Modulo q, the system is also underdetermined and does not produce unique solutions. Another possible attack to deduce the private key from signature utilizes the public key. We describe it in the following proposition.
Proof Start by computing logḡ A and logḡ B modulo q for different values of A and B associated with different x 0 to obtain a system of equations of the form Once these values are found, they can be used to create a matrix modulo q with respect to the coefficients of the public polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) as shown in "Security of the private key given the public key". This matrix is used to find the coefficients c k111...1 of the base polynomial. Note that the coefficients of the noise functions and the base polynomial can be used to find R 0 and R n , and therefore, f t and h t for t ∈ {0, 1, . . . , } . Everything computed using this approach up to this point is computed modulo q. Now, we lift the values c k11...1 for k ∈ {0, 1, . . . , n} to the ring Z/ϕ(p)Z , and use these values as well as the coefficients of the public polynomial P(x 0 , x 1 , . . . , x m ) to check if the lift is successful. It is successful if the inverse of the matrix constructed using the coefficients of the base polynomial multiplied by the vector of the coefficients of the public polynomial p(x 0 , x 1 , . . . , x m ) yields a vector with a few bottom values equal to 0. We discussed this construction in more detail "Security of the private key given the public key". Classical complexity of this lifting part is O(2 x(n+1) ) , and the quantum complexity is O( √ 2 x(n+1) ) due to Grover's algorithm. The lifted values of the base polynomial coefficients are then used to find f ′ t and h ′ t in the ring Z/ϕ(p)Z for all t ∈ {0, 1, . . . , } . In order to find R 0 and R n in the ring Z/ϕ(p)Z , one can simply divide the coefficients R 0 c 011...1 of N 0 by c 011...1 and R n c n11...1 of N n by c n11...1 . The only thing left to do in order to be able to create A, B, C and D for any x 0 is to lift f t and h t to the ring Z/ϕ(p)Z for all t ∈ {0, 1, . . . , } . That can be done by comparing the values f ′ t and h ′ t computed using matrix of base polynomial coefficients and the values R 0 , R n that are known and f t , h t lifted from Z/qZ . Classical complexity of lifting values f t and h t is O(2( + 1)2 x ) , and quantum complexity is O(2( + 1) √ 2 x ) due to Grover's algorithm. The overall classical complexity is then . Usingthis attack the malicious party can compute A, B, C and D for any hashed documents or message value x 0 . The value E can then be expressed as Proof This attack utilizes signature components A, B, C and D without the public key. Note that for any genera- , . . . , } . Let an adversary consider the following system of equations, where values A k are obtained from communication records between the signer and the verifier for all values k ∈ {1, . . . , + 1}.  (2 x(2λ+4) ).The component E can be calculated using E = A Q B −P C −N 0 D −N n . Overall, the total classical complexity of the attack is O(p +1 4( + 1)( √ p log p)2 x(2 +4) ). Quantum complexity is O( 4( + 1)p +1 2 x(2 +4) ) using Grover's algorithm for brute force search.
Spoofing attacks. Recall, that the base g ∈ F p , as well as polynomials f (x 0 ), h(x 0 ) ∈ Z/(ϕ(p))Z[x] , constants R 0 , R n ∈ Z/ϕ(p)Z , and polynomials E φ (x 0 ), E ψ (x 0 ) ∈ Z/(ϕ(p))Z[x] are unknown. The attacker might try to look at any existing relationship between the values A, B, C, D and E. Then, if any other values A ′ � = A, B ′ � = B, C ′ � = C, D ′ � = D and E ′ � = E satisfy the same relationship, they might be used as a signature, and pass verification. We showed in the "Security of the private key given the public key" section that none of the values A, B, C, D and E can be expressed in terms of one another. Another way for the malicious party to carry out a spoofing attack is to break the value A = g R 0 f (x 0 ) into and obtain every element of the form g R 0 f i for i ∈ {0, . . . , } . Similarly, obtain the terms g R n h i from B = g R n h(x 0 ) , the terms g R n f 0 h i , g −R n h 0 f i from C = g s 0 , and terms g R 0 f h i , g −R 0 h f i from D = g s n for all i ∈ {0, . . . , } . The attacker also need to obtain the terms g R 0 R n [h i e φ j −f i e ψ j ] from E. This way, the attacker can easily change the original document x 0 into a different document with the correct signature, in other words, achieve universal forgery. In this case, the verifier will not be able to determine any malicious activity as the document and the signature will pass the verification without raising any issues.
We show that such an attack is not applicable because it does not yield deterministic results if the terms described above are found using brute force.

Proposition 4.14 Generating all components of the form
logḡ Scientific Reports | (2022) 12:13168 | https://doi.org/10.1038/s41598-022-15843-x www.nature.com/scientificreports/ Proof For the proof we consider a simplified example with quadratic polynomials f (x 0 ) and h(x 0 ) . The proof for the general case is identical. We have the following equations Using brute force, the attacker needs to go over every term g R 0 f 1 and g R 0 f 2 , and consider an equality of the form which yields g R 0 f 0 . Thus, to generate tuples (g R 0 f 0 , g R 0 f 1 , g R 0 f 2 ) the malicious party needs to sample p 2 elements. Since the ratios of the form R 0 f i R n h i do not exist for any i ∈ {0, 1, 2}, the attacker has to find tuples using the same strategy. However, the terms g R 0 f 1 and g R 0 f 2 are simply elements of the field F p s . The attacker has already calculated a x 0 b x 2 0 for all possible elements a, b ∈ F p s . All such terms can be reused to find all possible g R n h 0 from the equality Thus, to construct tuples (g R n h 0 , g R n h 1 , g R n h 2 ) the attacker does not need to sample any more terms but the calculations require going through p 2 terms. Similarly, the existing sampled terms a x 0 b x 2 0 for all possible elements a, b ∈ F p s can be reused for C. Indeed, the equations are Checking the value for C requires going through p 2 items. In our example, with quadratic functions f (x 0 ), h(x 0 ) , the equation for D has the following form The attacker needs to go through p 2 values to check for D. Lastly, the malicious party has to consider the following equation with mod p The attacker will need to go through p n elements. One of the terms can be derived as a ration between E and the remaining terms of the form g . The complexity of generating all the tuples is, therefore, O(p n+8 ) for this example. However, there is no efficient way to determine which five tuples, one for each of A, B, C, D and E, are the correct ones used by the signing party. For that one might try to create A, B, C, D and E for different x 0 and verify that A Q = B P C N 0 D N n for different P, Q, N 0 and N n . In the case that the attacker finds the correct tuples associated with A, B, C, D, and E, since the tuples are independent of x 0 , the attacker can use them to forge a signature for any x 0 .
There are other ways to carry out a spoofing attack. However, we claim that the following approach is the most efficient. Recall, that A Q = B P C N 0 D N n E for any P, Q, N 0 , N n computed using publicly available coefficients provided by the signer. Thus, given P ,Q,N 0 , and N n the attacker should look for values A, B, C, D  Another attack on the public key that we have discovered has classical complexity of +2 2 x( +2) ]) . [Attack 3] A different attack the malicious party can undertake is to gain enough information from a genuine signature obtained from a communication interception between the signer and verifier as well as the public key and use that information to recreate a full signature for any message or document x 0 . The classical complexity of this attack is C 3 = O([2(2 + 1) log p]q 3 2 2 x(n+1)+x/2 + 2( + 1) × 2 x ) . [Attack 4] A similar attack that only uses a genuine signature has classical complexity of C 4 = O(4( + 1)p +1 [ √ p log p]2 x(2 +4) ) .
[Attack 5] And lastly, the attacker can directly spoof the signature. The complexity of direct spoofing is C 5 = O(p 4+m ). Of these five attacks, the attack that use genuine signatures is in favor of the attacker with classical complexity C 2 = O([2(2 + 1) log p]q 3 2 2 x(n+1)+x/2 + 2( + 1) × 2 x ). For complexities of cracking MPPK/DS using a quantum computer, the adversary can use public key only attack that has quantum complexity of ). Another attack that uses public keys has quantum complexity of . The adversary can also use honest signatures obtained from communication records. The attack that uses honest signatures in conjunction with public keys has quantum complexity of . The attack that uses signatures only has quantum complexity C 4 = O( 4( + 1)p +1 2 x(2 +4) ). Lastly, the attacker can directly spoof the signature. Quantum complexity of this case is C 4 = O( p 4+m ).

Brief benchmarking results and optimal parameters of MPPK/DS
We now introduce optimal parameters and report benchmarking results for MPPK/DS. For benchmarking. we used the NIST recognized SUPERCOP benchmarking tool. The SUPERCOP was run on a 16-core Intel®Core™i7-10700 CPU at 2.90 GHz system.

Configuration.
We begin by requiring that the prime p is a generalized safe prime (or a special Cullen prime) such that p = 2 x q + 1 , where q is a prime number. We will further discuss x and q with respect to the desirable security level. We require that noise coefficients R 0 and R n are even non-zero numbers in the ring Z/ϕ(p)Z. We require that A, B, C, D, and E are all integers in the field F p not equal to 0 or 1. We require that neither N 0 nor N n are equal to zero modulo ϕ(p). 2 2 x(n+1)+x/2 + 2( + 1) × 2 x ) , which depends majorly on x. Thus, when making decisions about x and q, it is important to make x and q sufficiently large to guarantee the security of the DS scheme. We also suggest to set m ≥ 1, n ≥ 2, and ≥ 2 for optimal performance of key generation, signing, and verification to achieve the NIST security three levels.
We provide optimal parameters for each security level, considering classical complexity of each attack we have discovered in Table 2. That is, the parameters given in Table 2 are sufficient to meet corresponding NIST security level and avert the corresponding attack.
Benchmarking results. Assuming the parameters shown in Table 2 for each corresponding security level and complexity of all attacks considered together, that is the last row of Table 2, we report benchmarking results about MPPK/DS. We used the NIST accepted SUPERCOP benchmarking tool. All the NIST third round finalists' SUPERCOP measurement data was contributed to SUPERCOP. Thus, we take advantage of the common performance measurement platform and report on the benchmarking results of MPPK/DS alongside the NIST third-round DS finalists, namely Crystals-Dilithium, Falcon, and Rainbow algorithms. The system used for all primitives is a 16-core Intel®Core™i7-10700 CPU at 2.90 GHz.
For this paper, we use a snapshot of detailed data reported separately 62 . Performance measurements presented in this section are median values. The average values, quartile values, as well as standard deviation, and error rates are available separately 62 .
We first present the reader with Table 3, illustrating public key sizes and signature sizes of the MPPK/ DS scheme and the NIST third round finalists in bytes, for NIST security levels I, III, and V. Public key sizes of the MPPK/DS algorithm are calculated using the formula m[2(n + − 1) + 2] = 2m(n + ) over GF(p), since public key consists of the coefficients of polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) , Table 3. Public Key and Signature sizes of the the MPPK/DS scheme as well as the NIST PQC Round 3 Finalists, with values given in Bytes corresponding to various NIST Security Levels. a The rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V. b Dilithium does not provide primitive for NIST Level I, dilithium3 was used for Level III, and dilithium5 for Level V. c For Falcon, falcon512dyn was measured for Level I, no primitive was measured for Level III, falcon1024dyn was measured for Level V.

Signature
Public key size (B) Signature size (B)   Scheme  I  III  V  I  III  V   MPPK/DS  192  288  288  80 120 160 Recall, that there are five components in the signature, namely (A, B, C, D, E). Each such signature element should be of sufficient size to prevent brute force attacks, leading to spoofing. For level I, therefore, each component of the signature element is 128 bits. The entire signature is 5 × 128 = 640 bits, which is 80 bytes. Similarly, the signature size for level III is 120 bytes, and 160 bytes for level V. Based on values in Table 3, sizes of the MPPK/DS are comparable and some cases noticeably smaller than the corresponding signature sizes of the three NIST finalists.
Key generation performance comparison between the MPPK/DS scheme and the NIST finalists is given in Table 4. From the data shown in the table, MPPK/DS offers efficient key generation, outperforming the NIST Round 3 finalists. A similar account is observed for the signing procedure. Note that the values given in both tables are median values of the SUPERCOP measurement. Table 4 also depicts the median values of MPPK/DS and NIST Round 3 finalists' signature verification performance in clock cycles. The data in the table demonstrates that the signature verification performance of the MPPK/DS primitive is comparable to the Rainbow signature scheme and faster than the Crystals-Dilithium as well as the Falcon algorithms.
The reader will notice that the overall performance of the MPPK/DS scheme is more comparable to the Rainbow scheme than other NIST Round 3 finalists. To explore this a little further, we include Tables 5 and 6 to compare the public key and signature sizes, as well as the performance of the MPPK/DS algorithm and the NIST Round 3 multivariate finalist and alternative algorithms, Rainbow and GeMSS 17, 31 . Table 5 shows that public key sizes of the MPPK/DS are noticeably smaller than public key sizes of other multivariate primitives considered. However, signature sizes of the MPPK/DS are greater than those of the GeMSS algorithm and comparable to the Rainbow algorithm. Table 6 provides comparison of the performance measurements between MPPK/DS, and Rainbow and GeMSS signature schemes. All the values are given in clock cycles. Note, however, that the values for MPPK/ DS and Rainbow are taken from our own benchmarking work, using SUPERCOP and only the median value Table 5. Public Key Sizes of the the MPPK/DS scheme as well as the NIST PQC Round 3 multivariate DS schemes, with values given in Bytes. a The rainbow1aclassic363232 primitive was measured for Level I, rainbow3cclassic683248 for Level III, and rainbow5cclassic963664 for Level V. b GeMSS128 primitive corresponds to values for level I, GeMSS192 corresponds to values for level III, and GeMSS256 corresponds to values for level V.

Signature
Public key size (B) Signature size (B)   Scheme  I  III  V  I  III  V   MPPK/DS  192  288  288  80  120  160   Rainbow a  161, 600  882,  www.nature.com/scientificreports/ are provided in the table. The system that was used to measure the performance of MPPK/DS and Rainbow is a 16-core Intel®Core™i7-10700 CPU at 2.90 GHz. On the other hand, the values for GeMSS were taken from their official online page, The performance was measured using MQsoft using Skylake processor Intel®Core™i7-6600U CPU at 2.60GHz. Table 6 values show that MPPK/DS achieve more efficient key generation and signature creation procedures compared to the Rainbow and GeMSS signature schemes. However, the signature verification performance of MPPK/DS is not as efficient as the Rainbow algorithm for level I security. For level III, MPPK/DS performance is comparable with Rainbow and GeMSS. For level V, a noticeable difference between values is observed, with MPPK/DS outperforming both the Rainbow and GeMSS signature schemes.
Overall, MPPK/DS achieves rather small public key and signature sizes and offers efficient key generation, signature creation, and signature verification procedures compared to other PQC signature schemes.

Conclusion
We presented a new quantum-safe digital signature algorithm called MPPK/DS. It is based on the Kuang et al. 's MPPK KEM algorithm. MPPK/DS is a multivariate, quantum-safe and falls into the category of probabilistic DS algorithms. Indeed, verifying the same signature multiple times with different noise variable values meets the same verification relationship. The core of the signing-verifying relationship is a modular arithmetic property that given x co-prime to n and two integers a and b such that a ≡ b (mod ϕ(n)), then x a = x b (mod n), where ϕ(n) is the Euler's totient function evaluated at n. Using a generalized safe prime p = 2 x q + 1 , discussed in "MPPK digital signature and verification", we performed security analysis for the MPPK/DS algorithm to conclude that the complexity of the best possible attack on the MPPK/DS is O([2(2 + 1) log p]q 3 2 2 x(n+1)+x/2 + 2( + 1) × 2 x ) using classical computing, and O( √ q √ 2 x(n+1) + 2( + 1) × √ 2 x ) and for quantum computing. We also report briefly on the performance of MPPK/DS measured using the NIST recognized benchmarking toolkit SUPERCOP. The overall performance for key generation, signing, and verifying, is very efficient, outperforming the NIST 3rd round finalists. We provide a detailed performance analysis of the MPPK/DS algorithm in a companion paper 62 . A MPPK/DS implementation is available online 63 .

Data availibility
All data generated or analysed during this study are included in this published article (and its Supplementary Information files).